Moodle: Load Google SSO client library in custom page - redirect

I am developing the custom redirection page in moodle(Version 3.8). Which will check the valid google sso id_token received from query parameters and the details of that id_token will be crosschecked with moodle database. If the user will be valid as per database then it will automatically fetch the password for that user from database allow user to login.
How can i load the google sso client library in my custom page for id_token verification and details, also how can i access moodle database in random custom page?

Related

How to identify a Google user account by JWT?

I have a flutter Android app which implements Google sign in, and ASP.NET core Web API server, which using token-based authentication. Android app sends jwt token to server, which contains such information as email, username etc. So on server. I need a parameter, on which user can be authorized.
Does Google's JWT contains any information, which is unique for every account?
If jwt does not, is it possible to get a unique identifier after validating this token using GoogleJsonWebSignature.ValidateAsync(token)?

2-hop 'authorization code' flow oauth2 authentication for centrailzed social login

Introduction
I have my own user account database and am building an oauth2 authorization server to centralize authentication logic across my companies' websites using authorization code grant type.
Let's say I have deployed my authorization server's login page at https://auth.my.company.com, and deployed a website at https://my.website1.com. When a user click on the login button at https://my.website1.com, the typical oauth2 authroization code flow will be triggered as shown in the picture below.
To explain the picture:
The user access to https://my.website1.com which renders a login button.
The user is navigated to the centralized login page with url https://auth.my.company.com?client_id=mysite1&redirect_url=https://my.website1.com/oauth/callback
The user enters username and password and submit the login form.
After the authrization server validates the user credential, it redirects the user back the the redirect_url https://my.website1.com/oauth/callback?auth_code=abcd passing a parameter auth_code=abcd
The website backend server communicates with the authorization server using the input auth_code to authenticate the user, the authorization server returns an access token.
The website responses to the user that the login process is success.
The Problem
At https://my.website1.com, I would like that the user can also login with his/her Facebook account, which will be bound with the account in my user account database. I would like to centralized this process as well (i.e. so that my another site https://my.website2.com can reuse the same login process). So I am thinking of implementing a 2-hop oauth flow as in the following picture.
The user access to https://my.website1.com which renders a login button.
The user is navigated to my centralized Facebook login endpoint https://auth.my.company.com/facebook
The authorization resolves its Facebook client id and redirect url and then redirect the user to Facebook login page.
The user logins through Facebook.
Facebook redirects the user back to my authorization server, passing the authroization code.
My authorization server uses the authroization code from Facebook to authenticate the user with Facebook APIs
My authorization server redirects the user back to https://my.website1.com passing its own generated authorization code.
The website backend server communicates with the authorization server using the input auth_code to authenticate the user, the authorization server returns an access token.
The website responses to the user that the login process is success.
Question
I cannot find any reference to this kind of 2-hop oauth so I am afraid that I am doing it wrong. I would like to know if there are standard approch the handle the centralized social login like this.
Found a reference from IBM website that looks very similar to the flow in question. Here

How to implement external login to identity backend from Xamarin

I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.
I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?
Should I create a separate Facebook app for Android or should I use the same as the website?
What would be the flow?
I am thinking of something like:
Using the Facebook sdk to log in
Pass the token to the server
Check from server side if the email exists or the FB user id exists
If yes check whether the app is registered using Facebook and if yes login
If no create an account
But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).
Xamarin.Auth is client library and currently has no server side implementations.
So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token.
This is not specified in draft (RFC) so check how FB does token introspection.
Few links for more info:
How to validate an OAuth 2.0 access token for a resource server?
http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html
https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server
https://connect2id.com/products/server/docs/api/token-introspection
https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/

Okta - How do I identify currently logged on user in this case?

I will try to keep the question as clear and direct as possible.
Social authentication (Facebook) configured with Okta with redirect URI as URL to my custom webapp. This custom webapp relies on Okta for authentication.
User visits my custom webapp (unauthenticated) and clicks on the social authentication URL to login to my custom webapp.
User follows the normal flow, gets authenticated by facebook and thereby by Okta (as per usual flow) and is then redirected by Okta back to the custom webapp.
The entire flow is successful and the user can see an Okta session cookie set in their browser.
Custom webapp now needs to show the user their own profile by making an Okta API call.
Problem: How can my custom webapp identify who just logged in so that they can fetch their Okta profile using API?
I am aware that Okta knows who just logged in due to claims that facebook sends to the OAuth client (Okta), but how will my app know the identity of the user who logged in?
Thanks,
Jatin
It depends on the OAuth2 flow you've chosen for your app, but the end state is getting an id_token from Okta which contains claims about the user that just logged in.
If you've set response_type=code in your social auth url (/authorize), after Step 4 you'll get a code query param in the redirect that you can then exchange for the id_token using the /token endpoint.
Or, if you've set response_type=id_token, you should already have the id_token in the redirect - you just need to validate/decode it (more info here).

Login flow from mobile app on web server with Facebook Oauth

I have a web application built with Spring and spring security that allows user to register ether via Facebbok or creating an account, in both cases an web app account is created. So the 2 registering methods are the following::
Registering directly on the web app: the username and password are stored in the db.
Registering via facebook: the user logins into facebook (Outh), the web app retrieve the data from facebook to fill the registration form. The web app prompt the user to create the webapp account. In my database I store web app user and facebook data (access token etc..), so that the second time I try to login I can match the facebook account with the web app account (I use spring social).
Now I'm creating a rest service for the mobile app and it requires authentication. I use the basic http auth to access the web services.
My question now is how to Log in a user in my web application using spring security?
What I thought was:
Mobile app logs into facebook and retrieve the access_token (no contact with the web application server yet)
Mobile app sends access token to the web app
Web app checks if the access token is valid ether with db or directly with facebook
In case is valid the access token, the app sends back to the mobile app the username and the password (could be encrypted with a private key algorithm)
Once receive the web app user and password the user is authenticated and this information are stored on the mobile and used for http auth.
Do you think this flow is secure? do you have other ideas?
Thank you in advance